Malware Analysis Report

2025-03-14 22:51

Sample ID 240406-1h3vnsbg2x
Target e35861d845057356fd7c600cf895bb0a_JaffaCakes118
SHA256 8bd5a7eafd012d57bc62ca67641e4c452c65ac427b8189ffec5a125f1f2c9f67
Tags
evasion persistence upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

8bd5a7eafd012d57bc62ca67641e4c452c65ac427b8189ffec5a125f1f2c9f67

Threat Level: Known bad

The file e35861d845057356fd7c600cf895bb0a_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

evasion persistence upx

Modifies firewall policy service

Executes dropped EXE

Loads dropped DLL

UPX packed file

Adds Run key to start application

Drops file in Program Files directory

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-06 21:39

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-06 21:39

Reported

2024-04-06 21:42

Platform

win7-20240221-en

Max time kernel

146s

Max time network

126s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e35861d845057356fd7c600cf895bb0a_JaffaCakes118.exe"

Signatures

Modifies firewall policy service

evasion
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Program Files (x86)\Common Files\System\rtproc32.exe = "C:\\Program Files (x86)\\Common Files\\System\\rtproc32.exe:*:Enabled:Microsoft Runtime Process for Win32 Services" C:\Program Files (x86)\Common Files\System\rtproc32.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Common Files\System\rtproc32.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Runtime Process for Win32 Services = "C:\\Program Files (x86)\\Common Files\\System\\rtproc32.exe" C:\Program Files (x86)\Common Files\System\rtproc32.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Common Files\System C:\Program Files (x86)\Common Files\System\rtproc32.exe N/A
File created C:\Program Files (x86)\Common Files\System\rtproc32.exe C:\Program Files (x86)\Common Files\System\rtproc32.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\System\rtproc32.exe C:\Program Files (x86)\Common Files\System\rtproc32.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\System C:\Users\Admin\AppData\Local\Temp\e35861d845057356fd7c600cf895bb0a_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Common Files\System\rtproc32.exe C:\Users\Admin\AppData\Local\Temp\e35861d845057356fd7c600cf895bb0a_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\System\rtproc32.exe C:\Users\Admin\AppData\Local\Temp\e35861d845057356fd7c600cf895bb0a_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\e35861d845057356fd7c600cf895bb0a_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\e35861d845057356fd7c600cf895bb0a_JaffaCakes118.exe"

C:\Program Files (x86)\Common Files\System\rtproc32.exe

"C:\Program Files (x86)\Common Files\System\rtproc32.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 irc.antisecbrteam.tk udp

Files

memory/2784-0-0x0000000000400000-0x0000000000421000-memory.dmp

\Program Files (x86)\Common Files\System\rtproc32.exe

MD5 e35861d845057356fd7c600cf895bb0a
SHA1 5119b59327cef622c7bde65d973f6d0bbbfee4d6
SHA256 8bd5a7eafd012d57bc62ca67641e4c452c65ac427b8189ffec5a125f1f2c9f67
SHA512 cbd077c9d6df6f372ce7b623ec92ecdee287914c92e2785c6694f717473172880de1e8e185085d955e071d5260f74d8c3cf4c0b7991067ee0522344c08756499

memory/2784-10-0x0000000000290000-0x00000000002B1000-memory.dmp

memory/2784-11-0x0000000000290000-0x00000000002B1000-memory.dmp

memory/1992-12-0x0000000000400000-0x0000000000421000-memory.dmp

memory/2784-13-0x0000000000400000-0x0000000000421000-memory.dmp

memory/1992-15-0x0000000000400000-0x0000000000421000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-06 21:39

Reported

2024-04-06 21:42

Platform

win10v2004-20240319-en

Max time kernel

149s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e35861d845057356fd7c600cf895bb0a_JaffaCakes118.exe"

Signatures

Modifies firewall policy service

evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List C:\Program Files (x86)\Common Files\System\rtproc32.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile C:\Program Files (x86)\Common Files\System\rtproc32.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications C:\Program Files (x86)\Common Files\System\rtproc32.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Program Files (x86)\Common Files\System\rtproc32.exe = "C:\\Program Files (x86)\\Common Files\\System\\rtproc32.exe:*:Enabled:Microsoft Runtime Process for Win32 Services" C:\Program Files (x86)\Common Files\System\rtproc32.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Common Files\System\rtproc32.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Runtime Process for Win32 Services = "C:\\Program Files (x86)\\Common Files\\System\\rtproc32.exe" C:\Program Files (x86)\Common Files\System\rtproc32.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Common Files\System\rtproc32.exe C:\Users\Admin\AppData\Local\Temp\e35861d845057356fd7c600cf895bb0a_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\System C:\Program Files (x86)\Common Files\System\rtproc32.exe N/A
File created C:\Program Files (x86)\Common Files\System\rtproc32.exe C:\Program Files (x86)\Common Files\System\rtproc32.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\System\rtproc32.exe C:\Program Files (x86)\Common Files\System\rtproc32.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\System C:\Users\Admin\AppData\Local\Temp\e35861d845057356fd7c600cf895bb0a_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Common Files\System\rtproc32.exe C:\Users\Admin\AppData\Local\Temp\e35861d845057356fd7c600cf895bb0a_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\e35861d845057356fd7c600cf895bb0a_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\e35861d845057356fd7c600cf895bb0a_JaffaCakes118.exe"

C:\Program Files (x86)\Common Files\System\rtproc32.exe

"C:\Program Files (x86)\Common Files\System\rtproc32.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4088 --field-trial-handle=2232,i,3915538061666887171,15629965885515244134,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 irc.antisecbrteam.tk udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 21.114.53.23.in-addr.arpa udp
NL 23.62.61.170:443 www.bing.com tcp
US 8.8.8.8:53 170.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 irc.antisecbrteam.tk udp
US 8.8.8.8:53 irc.antisecbrteam.tk udp
NL 142.251.39.110:443 tcp
NL 172.217.168.202:443 tcp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
NL 142.251.39.110:443 tcp
US 8.8.8.8:53 irc.antisecbrteam.tk udp
US 8.8.8.8:53 irc.antisecbrteam.tk udp
US 8.8.8.8:53 irc.antisecbrteam.tk udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 irc.antisecbrteam.tk udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 irc.antisecbrteam.tk udp
US 8.8.8.8:53 irc.antisecbrteam.tk udp
US 8.8.8.8:53 irc.antisecbrteam.tk udp
US 8.8.8.8:53 irc.antisecbrteam.tk udp
US 8.8.8.8:53 irc.antisecbrteam.tk udp
US 8.8.8.8:53 irc.antisecbrteam.tk udp
US 8.8.8.8:53 irc.antisecbrteam.tk udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 irc.antisecbrteam.tk udp
US 8.8.8.8:53 irc.antisecbrteam.tk udp
US 8.8.8.8:53 irc.antisecbrteam.tk udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 irc.antisecbrteam.tk udp
US 8.8.8.8:53 irc.antisecbrteam.tk udp
US 8.8.8.8:53 irc.antisecbrteam.tk udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 irc.antisecbrteam.tk udp
US 8.8.8.8:53 irc.antisecbrteam.tk udp
US 8.8.8.8:53 irc.antisecbrteam.tk udp
US 8.8.8.8:53 irc.antisecbrteam.tk udp
US 8.8.8.8:53 irc.antisecbrteam.tk udp
US 8.8.8.8:53 irc.antisecbrteam.tk udp
US 8.8.8.8:53 irc.antisecbrteam.tk udp
US 8.8.8.8:53 irc.antisecbrteam.tk udp
US 8.8.8.8:53 40.173.79.40.in-addr.arpa udp
US 8.8.8.8:53 irc.antisecbrteam.tk udp

Files

memory/4428-0-0x0000000000400000-0x0000000000421000-memory.dmp

C:\Program Files (x86)\Common Files\System\rtproc32.exe

MD5 e35861d845057356fd7c600cf895bb0a
SHA1 5119b59327cef622c7bde65d973f6d0bbbfee4d6
SHA256 8bd5a7eafd012d57bc62ca67641e4c452c65ac427b8189ffec5a125f1f2c9f67
SHA512 cbd077c9d6df6f372ce7b623ec92ecdee287914c92e2785c6694f717473172880de1e8e185085d955e071d5260f74d8c3cf4c0b7991067ee0522344c08756499

memory/2604-6-0x0000000000400000-0x0000000000421000-memory.dmp

memory/4428-7-0x0000000000400000-0x0000000000421000-memory.dmp

memory/2604-8-0x0000000000400000-0x0000000000421000-memory.dmp